[Zope3-dev] Security Proxies
Jim Fulton
jim at zope.com
Tue Dec 23 15:54:08 EST 2003
Roché Compaan wrote:
> I am busy moving a rather big app to Zope3 and my battle with security
> proxies is becoming a bit of show stopper. "setattr" on security proxies
> don't remove proxies around "value" which causes the ZODB to complain
> "Cannot pickle <type 'zope.security._proxy._Proxy'> objects". This
> occurs at a point when the security.checker's check_setattr has already
> passed without exceptions.
Note that the setattr security check has nothing to do with the value.
The value of the attribute isn't taken into account.
> It is easily reproducable as well - just declare an interface with an
> "Object" schema field, with add- and editform and implement it.
Right. It have to remove proxies before saving a value.
> Now it doesn't seem right that schema fields should remove proxies
> before calling setattr since a security check is done during "setattr".
No, It's fine to do that since the security check doesn't depend
on the value.
> Hence my conclusion that this looks like a bug. If it is and I am not
> missing something obvious I'll file it in the collector.
What is a bug? I'm can't tell what "this" is.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list